Identifying an evasive malicious object based on a behavior delta

ABSTRACT

A security device may receive actual behavior information associated with an object. The actual behavior information may identify a first set of behaviors associated with executing the object in a live environment. The security device may determine test behavior information associated with the object. The test behavior information may identify a second set of behaviors associated with testing the object in a test environment. The security device may compare the first set of behaviors and the second set of behaviors to determine a difference between the first set of behaviors and the second set of behaviors. The security device may identify whether the object is an evasive malicious object based on the difference between the first set of behaviors and the second set of behaviors. The security device may provide an indication of whether the object is an evasive malicious object.

RELATED APPLICATIONS

This application is a continuation of U.S. patent application Ser. No.15/455,981, filed Mar. 10, 2017 (now U.S. Pat. No. 9,922,193), which isa continuation of U.S. patent application Ser. No. 15/229,842, filedAug. 5, 2016 (now U.S. Pat. No. 9,594,908), which is a continuation ofU.S. patent application Ser. No. 14/502,713, filed Sep. 30, 2014 (nowU.S. Pat. No. 9,411,959), the disclosures of which are incorporatedherein by reference.

BACKGROUND

A security device may be positioned between a user device and a serverdevice (e.g., a server device associated with a web site). The securitydevice may be configured to detect (e.g., using URL reputations,blacklists, anti-virus scanning, anti-malware techniques, etc.)malicious objects (e.g., a Trojan, a worm, a spyware program, a documentcontaining an exploit, etc.), provided by the server device, and may beconfigured to prevent the malicious objects from being received by theuser device.

SUMMARY

According some possible implementations, a security device may compriseone or more processors to: receive actual behavior informationassociated with an object, where the actual behavior information mayidentify a first set of behaviors associated with executing the objectin a live environment; determine test behavior information associatedwith the object, where the test behavior information may identify asecond set of behaviors associated with testing the object in a testenvironment; compare the first set of behaviors and the second set ofbehaviors to determine a difference between the first set of behaviorsand the second set of behaviors; identify whether the object is anevasive malicious object based on the difference between the first setof behaviors and the second set of behaviors; and provide an indicationof whether the object is an evasive malicious object.

According to some possible implementations, a computer-readable mediummay store one or more instructions that, when executed by one or moreprocessors, cause the one or more processors to: determine test behaviorinformation associated with an object, where the test behaviorinformation may identify a test set of behaviors associated with testingthe object in a test environment; obtain actual behavior informationassociated with the object, where the actual behavior information mayidentify an actual set of behaviors associated with executing orinstalling the object in a live environment; compare the actual set ofbehaviors and the test set of behaviors to determine a differencebetween the actual set of behaviors and the test set of behaviors;determine whether the object as an evasive malicious object based on thedifference between the actual set of behaviors and the test set ofbehaviors; and provide information indicating whether the object is anevasive malicious object.

According to some possible implementations, a method may include:receiving, by a security device, actual behavior information associatedwith an object, where the actual behavior information may identify afirst group of behaviors associated with executing the object on a userdevice; determining, by the security device, test behavior informationassociated with the object, where the test behavior information mayidentify a second group of behaviors associated with testing the objecton the security device; determining, by the security device, adifference between the first group of behaviors and the second group ofbehaviors; identifying, by the security device, the object as an evasivemalicious object based on the difference between the first group ofbehaviors and the second group of behaviors; and providing, by thesecurity device, information associated with identifying the object asan evasive malicious object.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is a diagram of an overview of an example implementationdescribed herein;

FIG. 2 is a diagram of an example environment in which systems and/ormethods, described herein, may be implemented;

FIG. 3 is a diagram of example components of one or more devices of FIG.2;

FIG. 4 is a flow chart of an example process for determining testbehavior information associated with an object, and storing the testbehavior information associated with the object;

FIG. 5 is a diagram of an example implementation relating to the exampleprocess shown in FIG. 4;

FIG. 6 is a flow chart of an example process for determining actualbehavior information, associated with an object, and providing theactual behavior information;

FIG. 7 is a diagram of an example implementation relating to the exampleprocess shown in FIG. 6;

FIG. 8 is a flow chart of an example process for identifying an objectas an evasive malicious object based on comparing actual behaviorinformation, associated with the object, and the test behaviorinformation associated with the object; and

FIG. 9 is a diagram of an example implementation relating to the exampleprocess shown in FIG. 8.

DETAILED DESCRIPTION

The following detailed description of example implementations refers tothe accompanying drawings. The same reference numbers in differentdrawings may identify the same or similar elements.

A security device may attempt to detect a malicious object (e.g., anobject that includes malware, a virus, or another type of maliciouscode) being provided to a user device. However, the security device maybe unable to detect the malicious object if the malicious object hasbeen designed to evade detection. One such evasion strategy involvespreventing the malicious object from exhibiting any malicious behaviorsif the malicious object determines that it is being tested in anemulated environment, a sandbox environment, or the like. For example,the security device may implement a sandbox to test (e.g., analyze,execute, inspect, etc.) an object within a full operating system runningon a virtual machine (VM). The test behavior of the object may beprofiled and heuristics may be applied in order to determine whether theobject is malicious. However, a malicious object may be designed todetect that the malicious object is being tested in the sandbox, and mayrefrain from exhibiting malicious behavior upon such a detection. Assuch, the security device may incorrectly determine that the object isnot malicious, and the malicious object may be provided to the userdevice. What is needed is a solution that allows the security device todetermine that an object behaves differently when being executed on theuser device, as compared to when the object is being tested by thesecurity device (e.g., a difference between actual behavior and testbehavior may be indicative that the object is an evasive maliciousobject).

Implementations described herein may allow a security device to identifyan object as an evasive malicious object based on comparing actualbehavior information, associated with the object and determined by auser device, and test behavior information associated with the objectand determined by the security device.

FIG. 1 is a diagram of an overview of an example implementation 100described herein. For the purposes of example implementation 100, assumethat an object is being provided to a user device by a server device(e.g., based on a request made by the user device). Further, assume thata security device is positioned between the user device and the serverdevice, and that the security device is configured to detect whetherobjects being provided to the user device are malicious objects.

As shown in FIG. 1, and by reference number 105, the security device mayreceive the object provided by the server device. As shown by referencenumber 110, the security device may then test (e.g., execute, analyze,inspect, etc.) the object in order to determine test behaviorinformation associated with the object. As shown by reference number115, the security device may provide the object to the user device. Asshown by reference number 120, the user may determine (e.g., byexecuting the object, opening the object, running the object, installingthe object, etc.) actual behavior information associated with theobject. As shown by reference number 125, the user device may providethe actual behavior information, associated with the object, to thesecurity device.

As shown by reference number 130, the security device may receive theactual behavior information, and may compare the actual behaviorinformation and the test behavior information. As shown by referencenumber 135, the security device may determine, based on comparing theactual behavior information and the test behavior information, that theactual behavior information differs from the test behavior information(e.g., that the actual behavior information shows a behavior that is notshown in the test behavior information). As shown by reference number140, based on determining that the actual behavior information differsfrom the test behavior information, the security device may identify(e.g., by conducting additional analysis of the object; by inputtinginformation associated with the actual behavior, information associatedwith the test behavior, and/or information with a difference between theactual behavior and the test behavior into a machine learning modeltrained to classify objects as malicious or benign, etc.) the object asan evasive malicious object, and may act accordingly (e.g., by notifyinga user of the user device, etc.).

In this way, a security device may identify an object as an evasivemalicious object based on comparing actual behavior information,associated with the object (e.g., determined by a user device), and testbehavior information associated with the object (e.g., determined by thesecurity device).

FIG. 2 is a diagram of an example environment 200 in which systemsand/or methods, described herein, may be implemented. As shown in FIG.2, environment 200 may include a user device 210, a security device 220,a server device 230, and a network 240. Devices of environment 200 mayinterconnect via wired connections, wireless connections, or acombination of wired and wireless connections.

User device 210 may include one or more devices capable of communicatingwith other devices (e.g., server device 230) via a network (e.g.,network 240), and/or capable of receiving information provided byanother device (e.g., server device 230). For example, user device 210may include a computing device, such as a laptop computer, a tabletcomputer, a handheld computer, a desktop computer, a mobile phone (e.g.,a smart phone, a radiotelephone, etc.), a personal digital assistant, ora similar device. In some implementations, user device 210 may host asecurity client configured to determine actual behavior informationassociated with an object received by user device 210. Additionally, oralternatively, user device 210 may be capable of providing the actualbehavior information to security device 220.

Security device 220 may include one or more devices capable ofreceiving, generating, determining, providing, and/or storing behaviorinformation (e.g., test behavior information or actual behaviorinformation) associated with an object. For example, security device 220may include a computing device, such as a server. In someimplementations, security device 220 may be capable of determining testbehavior information associated with an object. For example, securitydevice 220 may host a sandbox environment that allows security device220 to execute, analyze, run, install, or the like, an object in orderto determine test behavior information associated with the object.Additionally, or alternatively, security device 220 may be capable ofdetermining the test behavior information in another manner.

In some implementations, security device 220 may be capable ofidentifying whether an object is an evasive malicious object based ontest behavior information, associated with the object, and actualbehavior information associated with the object. Additionally, oralternatively, security device 220 may include one or more devicescapable of processing and/or transferring communications (e.g., arequest, a response, etc.) between user device 210 and server device230. For example, security device 220 may include a network device, suchas a reverse proxy, a server (e.g., a proxy server), a traffic transferdevice, a firewall, a router, a load balancer, or the like.

Security device 220 may be used in connection with a single serverdevice 230 or a group of server devices 230 (e.g., a data center).Communications may be routed through security device 220 to reach theone or more server devices 230. For example, security device 220 may bepositioned within a network as a gateway to a private network thatincludes one or more server devices 230. Additionally, or alternatively,security device 220 may be used in connection with a single user device210 or a group of user devices 210. Communications may be routed throughsecurity device 220 to reach the one or more user devices 210. Forexample, security device 220 may be positioned within a network as agateway to a private network that includes one or more user devices 210.

Server device 230 may include one or more devices capable of receiving,providing, generating, storing, and/or processing information associatedwith an object. For example, server device 230 may include a computingdevice, such as a server (e.g., an application server, a content server,a host server, a web server, etc.).

Network 240 may include one or more wired and/or wireless networks. Forexample, network 240 may include a wireless local area network (WLAN), alocal area network (LAN), a wide area network (WAN), a metropolitan areanetwork (MAN), a telephone network (e.g., the Public Switched TelephoneNetwork (PSTN)), a cellular network, a public land mobile network(PLMN), an ad hoc network, an intranet, the Internet, a fiberoptic-based network, or a combination of these or other types ofnetworks. In some implementations, network 240 may allow communicationbetween devices, such as user device 210, server device 230, and/orsecurity device 220.

The number and arrangement of devices and networks shown in FIG. 2 areprovided as an example. In practice, there may be additional devicesand/or networks, fewer devices and/or networks, different devices and/ornetworks, or differently arranged devices and/or networks than thoseshown in FIG. 2. Furthermore, two or more devices shown in FIG. 2 may beimplemented within a single device, or a single device shown in FIG. 2may be implemented as multiple, distributed devices. Additionally, oralternatively, a set of devices (e.g., one or more devices) ofenvironment 200 may perform one or more functions described as beingperformed by another set of devices of environment 200.

FIG. 3 is a diagram of example components of a device 300. Device 300may correspond to user device 210, security device 220, and/or serverdevice 230. In some implementations, user device 210, security device220, and/or server device 230 may include one or more devices 300 and/orone or more components of device 300. As shown in FIG. 3, device 300 mayinclude a bus 310, a processor 320, a memory 330, a storage component340, an input component 350, an output component 360, and acommunication interface 370.

Bus 310 may include a component that permits communication among thecomponents of device 300. Processor 320 may include a processor (e.g., acentral processing unit (CPU), a graphics processing unit (GPU), anaccelerated processing unit (APU), etc.), a microprocessor, and/or anyprocessing component (e.g., a field-programmable gate array (FPGA), anapplication-specific integrated circuit (ASIC), etc.) that interpretsand/or executes instructions. Memory 330 may include a random accessmemory (RAM), a read only memory (ROM), and/or another type of dynamicor static storage device (e.g., a flash memory, a magnetic memory, anoptical memory, etc.) that stores information and/or instructions foruse by processor 320.

Storage component 340 may store information and/or software related tothe operation and use of device 300. For example, storage component 340may include a hard disk (e.g., a magnetic disk, an optical disk, amagneto-optic disk, a solid state disk, etc.), a compact disc (CD), adigital versatile disc (DVD), a floppy disk, a cartridge, a magnetictape, and/or another type of computer-readable medium, along with acorresponding drive.

Input component 350 may include a component that permits device 300 toreceive information, such as via user input (e.g., a touch screendisplay, a keyboard, a keypad, a mouse, a button, a switch, amicrophone, etc.). Additionally, or alternatively, input component 350may include a sensor for sensing information (e.g., a global positioningsystem (GPS) component, an accelerometer, a gyroscope, an actuator,etc.). Output component 360 may include a component that provides outputinformation from device 300 (e.g., a display, a speaker, one or morelight-emitting diodes (LEDs), etc.).

Communication interface 370 may include a transceiver-like component(e.g., a transceiver, a separate receiver and transmitter, etc.) thatenables device 300 to communicate with other devices, such as via awired connection, a wireless connection, or a combination of wired andwireless connections. Communication interface 370 may permit device 300to receive information from another device and/or provide information toanother device. For example, communication interface 370 may include anEthernet interface, an optical interface, a coaxial interface, aninfrared interface, a radio frequency (RF) interface, a universal serialbus (USB) interface, a Wi-Fi interface, a cellular network interface, orthe like.

Device 300 may perform one or more processes described herein. Device300 may perform these processes in response to processor 320 executingsoftware instructions stored by a computer-readable medium, such asmemory 330 and/or storage component 340. A computer-readable medium isdefined herein as a non-transitory memory device. A memory deviceincludes memory space within a single physical storage device or memoryspace spread across multiple physical storage devices.

Software instructions may be read into memory 330 and/or storagecomponent 340 from another computer-readable medium or from anotherdevice via communication interface 370. When executed, softwareinstructions stored in memory 330 and/or storage component 340 may causeprocessor 320 to perform one or more processes described herein.Additionally, or alternatively, hardwired circuitry may be used in placeof or in combination with software instructions to perform one or moreprocesses described herein. Thus, implementations described herein arenot limited to any specific combination of hardware circuitry andsoftware.

The number and arrangement of components shown in FIG. 3 are provided asan example. In practice, device 300 may include additional components,fewer components, different components, or differently arrangedcomponents than those shown in FIG. 3. Additionally, or alternatively, aset of components (e.g., one or more components) of device 300 mayperform one or more functions described as being performed by anotherset of components of device 300.

FIG. 4 is a flow chart of an example process 400 for determining testbehavior information associated with an object, and storing the testbehavior information associated with the object. In someimplementations, one or more process blocks of FIG. 4 may be performedby security device 220. In some implementations, one or more processblocks of FIG. 4 may be performed by another device or a group ofdevices separate from or including security device 220, such as userdevice 210.

As shown in FIG. 4, process 400 may include receiving an objectassociated with a user device (block 410). For example, security device220 may receive an object associated with user device 210. In someimplementations, security device 220 may receive the object when serverdevice 230 provides the object for transmission to user device 210(e.g., when security device 220 is positioned to receive objectsprovided to user device 210). Additionally, or alternatively, securitydevice 220 may receive the object when another device provides theobject to security device 220, such as user device 210 or a deviceincluded in network 240.

An object may include an executable object (e.g., a Windows executablefile (EXE), a Windows script file (WSF), etc.), a web page object (e.g.,a hypertext markup language (HTML) document, etc.), a text object (e.g.,a Microsoft Word document (DOC), a plain text file (TXT)), a page layoutobject (e.g., a portable document format file (PDF), a picture file(PCT)), a compressed object (e.g., a zipped file (ZIP), a WinRARcompressed archive (RAR), etc.), or another type of object.

In some implementations, security device 220 may receive the objectbased on a request provided by user device 210. For example, a user ofuser device 210 may provide (e.g., via an input mechanism of user device210) information that indicates that user device 210 is to receive theobject, and user device 210 may send a request to server device 230(e.g., when server device 230 stores the object). In this example,server device 230 may receive the request, and may provide the object tosecurity device 220 (e.g., when security device 220 is positioned toreceive the object before the object is sent to user device 210). Insome implementations, the user may be unaware that user device 210 hassent a request for the object (e.g., when a program running on userdevice 210 is configured to automatically cause user device 210 torequest an object, etc.). In some implementations, security device 220may receive the object based on the object being provided by serverdevice 230. For example, server device 230 may send the object to userdevice 210 (e.g., without user device 210 requesting the object), andsecurity device 220 may receive the object from server device 230.

Additionally, or alternatively, security device 220 may receive theobject from user device 210. For example, user device 210 may receivethe object from server device 230, and may determine actual behaviorinformation, associated with the object, as described below. In thisexample, user device 210 may provide the object to security device 210along with the actual behavior information (e.g., in order to allowsecurity device 220 to determine test behavior information associatedwith the object).

As further shown in FIG. 4, process 400 may include determining testbehavior information associated with the object (block 420). Forexample, security device 220 may determine test behavior informationassociated with the object. In some implementations, security device 220may determine the test behavior information after security device 220receives the object. Additionally, or alternatively, security device 220may determine the test behavior information when security device 220receives an indication that security device 220 is to determine the testbehavior information.

Test behavior information may include information that identifies one ormore behaviors associated with testing an object in a test environment(e.g., a sandbox environment, an emulated environment, an environmenthosted by a VM, etc.). In some implementations, the test behaviorinformation may be compared to actual behavior information in order toidentify the object as an evasive malicious object, as described below.In some implementations, security device 220 may determine the testbehavior information based on executing the object in an emulatedenvironment. For example, security device 220 may implement a sandboxenvironment within a full operating system running on a VM. Here,security device 220 may execute the object in the sandbox environment inorder to determine the test behavior information. Testing the object ina test environment may allow security device 220 to perform dynamicanalysis of the object (e.g., in order to determine whether the objectis a malicious object) without risking any malicious activitiesoccurring on user device 210.

Additionally, or alternatively, security device 220 may determine thetest behavior by performing a static analysis of the object, such asscanning the object with anti-virus software, performing a stringssearch of the object, disassembling the object, or the like.Additionally, or alternatively, security device 220 may determine thetest behavior information in another manner associated with analyzing,executing, inspecting, running, installing or otherwise testing theobject.

Additionally, or alternatively, security device 220 may determine thetest behavior based on information associated with another user device210. For example, a first user device 210 may provide, to securitydevice 220, actual behavior information, associated with the object, atan earlier time (e.g., when the first user device 210 received theobject at an earlier time). In this example, security device 220 maydetermine (e.g., based on the actual behavior information, and based ontest behavior information determined by security device 220), that theobject is an evasive malicious object. Security device 220 may store anindication that the object is an evasive malicious object and/or maystore the test behavior information associated with the object. Here,security device 220 may retrieve the indication and/or the test behaviorinformation when security device 220 is to determine test behaviorinformation based on the second user device 210 receiving the object(e.g., at a later time). In this way, security device 220 may use thepreviously determined test behavior information and/or may identify theobject as an evasive malicious object based on the stored indicationassociated with the object.

In some implementations, the test behavior information may indicate thatthe object is a malicious object. For example, security device 220 mayexecute the object within a sandbox environment, and may identify one ormore malicious and/or suspicious behaviors associated with executing theobject, such as a creation of a file, an edit of a file, a creation of aregistry key, an edit of a registry key, a deletion of a registry key, ascheduling of an automated task, an establishment of a networkconnection, or the like. In this example, security device 220 maydetermine, based on the test behavior information and/or based onperforming additional analysis of the object (e.g., using anothermalware detection technique, virus detection technique, spywaredetection technique, ransomware detection technique, etc.), that theobject is a malicious object. In some implementations, security device220 may not permit the object to be provided to user device 210 (e.g.,when the test behavior information is sufficient to allow securitydevice 220 to conclusively (with a particular degree of certainty)determine that the object is malicious). Alternatively, security device220 may permit the object to be provided to user device 210 even whensecurity device 220 identifies the one or more malicious and/orsuspicious behaviors (e.g., when the test behavior information is notsufficient to allow security device 220 to determine that the object ismalicious).

Alternatively, the test behavior information may indicate that theobject is not a malicious object. For example, security device 220 mayexecute the object within the sandbox environment, and may not identifymalicious and/or suspicious behaviors associated with executing theobject (i.e., the object may not cause any suspicious and/or maliciousbehaviors to be exhibited). Here, security device 220 may determine testbehavior information that identifies one or more normal behaviors (e.g.,non-malicious behaviors, non-suspicious behaviors, typical behaviors,expected behaviors, etc.). In this example, security device 220 maydetermine, based on the test behavior information and/or based onperforming additional analysis of the object (e.g., using anothermalware detection technique, virus detection technique, spywaredetection technique, ransomware detection technique, etc.), that theobject is not a malicious object, and may permit the object to beprovided to user device 210. In some implementations, security device220 may provide the object to user device 210 (e.g., after securitydevice 220 determines the test behavior information, before securitydevice 220 determines the test behavior information, concurrently withsecurity device 220 determining the test behavior information, etc.).Additionally, or alternatively, security device 220 may provideinformation indicating that user device 210 is to determine actualbehavior information, associated with the object, and provide the actualbehavior information to security device 220.

In some implementations, security device 220 may provide the testbehavior information, associated with the object, to user device 210(e.g., such that user device 210 may determine when actual behaviorinformation, associated with the object, deviates from the test behaviorinformation, as described below).

As further shown in FIG. 4, process 400 may include storing the testbehavior information associated with the object (block 430). Forexample, security device 220 may store the test behavior informationassociated with the object. In some implementations, security device 220may store the test behavior information when security device 220determines the test behavior information (e.g., after security device220 determines the test behavior information). Additionally, oralternatively, security device 220 may store the test behaviorinformation based on receiving an indication that security device 220 isto store the test behavior information.

In some implementations, security device 220 may store the test behaviorinformation in a memory location (e.g., a RAM, a ROM, a cache, a harddisk, etc.) of security device 220. In some implementations, securitydevice 220 may store the test behavior information in a test behaviorinformation data structure stored or accessible by security device 220.Additionally, or alternatively, security device 220 may provide the testbehavior information to another device for storage.

In some implementations, security device 220 may store the test behaviorinformation such that security device 220 may retrieve the test behaviorinformation at a later time. In some implementations, security device220 may store the test behavior information with respect to user device210. Additionally, or alternatively, security device 220 may store thetest behavior information with respect to the object.

Although FIG. 4 shows example blocks of process 400, in someimplementations, process 400 may include additional blocks, fewerblocks, different blocks, or differently arranged blocks than thosedepicted in FIG. 4. Additionally, or alternatively, two or more of theblocks of process 400 may be performed in parallel.

FIG. 5 is a diagram of an example implementation 500 relating to exampleprocess 400 shown in FIG. 4. For the purposes of FIG. 5, assume thatsecurity device 220 (e.g., SD1) is positioned between user device 210(e.g., UD1) and server device 230 (e.g., SiteX server). Further, assumethat SD1 is configured to determine test behavior information associatedwith objects to be provided to UD1.

As shown in FIG. 5, and by reference number 505, UD1 may send, to theSiteX server via SD1, a request for an object (e.g., game.exe) stored bythe SiteX server. As shown by reference number 510, the SiteX server mayprovide the object to SD1 based on the request provided by UD1. As shownby reference number 515, SD1 may receive the object and may execute theobject in a sandbox environment hosted by SD1. As shown by referencenumber 520, SD1 may identify two behaviors based on executing the object(e.g., a creation a game folder associated with game.exe and a downloadof image files associated with game.exe). As shown by reference number525, SD1 may determine that the two behaviors are normal behaviors(e.g., non-malicious, non-suspicious, etc.), that the object is not amalicious object, and SD1 may store test behavior information associatedwith the object. As shown by reference number 530, SD1 may then providethe object to UD1.

As indicated above, FIG. 5 is provided merely as an example. Otherexamples are possible and may differ from what was described with regardto FIG. 5.

FIG. 6 is a flow chart of an example process 600 for determining actualbehavior information, associated with an object, and providing theactual behavior information. In some implementations, one or moreprocess blocks of FIG. 6 may be performed by user device 210. In someimplementations, one or more process blocks of FIG. 6 may be performedby another device or a group of devices separate from or including userdevice 210, such as security device 220.

As shown in FIG. 6, process 600 may include receiving an object (block610). For example, user device 210 may receive an object. In someimplementations, user device 210 may receive the object when securitydevice 220 provides the object. Additionally, or alternatively, userdevice 210 may receive the object when server device 230 provides theobject (e.g., based on a request from user device 210). Additionally, oralternatively, user device 210 may receive the object from anotherdevice and/or at another time.

In some implementations, user device 210 may receive the object aftersecurity device 220 determines test behavior information associated withthe object. In other words, user device 210 may receive the object afterprocess 400 (described above) is performed by security device 220 (e.g.,when security device 220 is configured to determine the test behaviorinformation before user device 210 receives the object). Alternatively,user device 210 may receive the object before security device 220determines test behavior information associated with the object. Inother words, user device 210 may receive the object before process 400is performed by security device 220 (e.g., when security device 220 isconfigured to determine the test behavior information after user device210 receives the object and/or provides the object to security device220). Alternatively, user device 210 may receive the object concurrentlywith security device 220 determining test behavior informationassociated with the object.

As further shown in FIG. 6, process 600 may include determining actualbehavior information associated with the object (block 620). Forexample, user device 210 may determine actual behavior informationassociated with the object. In some implementations, user device 210 maydetermine the actual behavior information after user device 210 receivesthe object. Additionally, or alternatively, user device 210 maydetermine the actual behavior information when user device 210 receivesan indication (e.g., user input) to execute the object, run the object,open the object, install the object, or the like. Additionally, oralternatively, user device 210 may determine the actual behaviorinformation when user device 210 receives an indication that user device210 is to determine the actual behavior information.

Actual behavior information may include information that identifies oneor more behaviors exhibited by an object within a live environment(e.g., when the object is executed on user device 210, run on userdevice 210, opened by user device 210, installed on user device 210,etc.). In some implementations, user device 210 may determine the actualbehavior information by executing the object, running the object,opening the object, or the like, in a live environment associated withuser device 210 and monitoring the behavior of the object. In someimplementations, the actual behavior information may be compared to testbehavior information in order to identify the object as an evasivemalicious object, as described below.

In some implementations, user device 210 may determine the actualbehavior information based on an indication from the user. For example,user device 210 may be configured to (e.g., automatically) determineactual behavior information, associated with the object, when the userprovides input indicating that user device 210 is to execute the object.

Additionally, or alternatively, user device 210 may determine the actualbehavior information based on a configuration of user device 210. Forexample, user device 210 may be configured (e.g., based on a securityapplication hosted by user device 210) to determine the actual behaviorinformation when user device 210 executes the object, runs the object,opens the object, installs the object, or the like.

Additionally, or alternatively, user device 210 may determine the actualbehavior based on an indication provided by security device 220. Forexample, security device 220 may provide the object to user device 210along with an indication that user device 210 is to determine the actualbehavior information, associated with the object (e.g., as describedabove), and user device 210 may determine the actual behaviorinformation accordingly.

As further shown in FIG. 6, process 600 may include providing the actualbehavior information (block 630). For example, user device 210 mayprovide the actual behavior information. In some implementations, userdevice 210 may provide the actual behavior information after user device210 determines the actual behavior information. Additionally, oralternatively, user device 210 may provide the actual behaviorinformation when user device 210 receives information indicating thatuser device 210 is to provide the actual behavior information.

In some implementations, user device 210 may provide the actual behaviorinformation based on a threshold amount of time. For example, userdevice 210 may store information indicating that user device 210 is todetermine actual behavior information for a threshold amount of time(e.g., 30 seconds, five minutes, etc.) after user device 210 beginsexecuting the object, and user device 210 may determine and provide theactual behavior information accordingly. Additionally, or alternatively,user device 210 may periodically provide the actual behavior information(e.g., every 1 minute while the object is open, every 10 minutes whilethe object is running, etc.).

In some implementations, user device 210 may provide the actual behaviorinformation based on detecting a deviation from test behaviorinformation associated with the object. For example, security device 220may provide the test behavior information to user device 210 (e.g., whensecurity device 210 is configured to determine the test behaviorinformation before providing the object to user device 210). Here, userdevice 210 may receive the test behavior information and may begindetermining the actual behavior information (e.g., user device 210 maybegin executing the object and monitoring behaviors associated withexecuting the object). In this example, user device 210 may determine(e.g., at a time after user device 210 begins to execute the object),that the actual behavior information has deviated from the test behaviorinformation (e.g., when user device 210 identifies, during execution, abehavior that is not identified in the test behavior information), anduser device 210 may provide the actual behavior information to securitydevice 220.

In some implementations, user device 210 may provide the object alongwith the actual behavior information. For example, user device 210 mayreceive the object before security device 220 determines test behaviorinformation associated with the object, and user device 210 may executethe object. Here, user device 210 may provide, to security device 220,the actual behavior information along with the object (e.g., such thatsecurity device 220 may execute the object in a test environment (e.g.,a sandbox environment, an emulated environment, using a VM hosted bysecurity device 220, etc.) in order to determine test behaviorinformation associated with the object).

Additionally, or alternatively, user device 210 may provide informationassociated with one or more user actions associated with the object. Forexample, user device 210 may provide information associated with userinput (e.g., a username, a password, a selection of a particular button,a selection of a particular area of a user interface, etc.) provided bythe user and associated with the object (e.g., such that security device210 may re-create the one or more user actions in order to performadditional testing associated with the object). Additionally, oralternatively, user device 210 may provide a memory snapshot associatedwith the object. For example, user device 210 may provide informationassociated with memory space of a process that is running on user device210 (e.g., such that security device 220 may re-establish a matchingmemory space within a sandbox environment in order to perform additionaltesting associated with the object).

Although FIG. 6 shows example blocks of process 600, in someimplementations, process 600 may include additional blocks, fewerblocks, different blocks, or differently arranged blocks than thosedepicted in FIG. 6. Additionally, or alternatively, two or more of theblocks of process 600 may be performed in parallel.

FIG. 7 is a diagram of an example implementation 700 relating to exampleprocess 600 shown in FIG. 6. For the purposes of FIG. 7, assume thatuser device 210 (e.g., UD1) has requested an object (e.g., game.exe)from server device 230 (e.g., SiteX server). Further, assume thatsecurity device 220 (e.g., SD1), positioned between UD1 and the SiteXserver, has received the object, determined and stored test behaviorinformation associated with the object, and has determined (e.g., basedon the test behavior information) that the UD1 may receive the object.Finally, assume that UD1 is configured to determine actual behaviorinformation, associated with the object, and provide the actual behaviorinformation to SD1.

As shown in FIG. 7, and by reference number 705, SD1 may provide theobject to UD1. As shown by reference number 710, UD1 may receive theobject, and may (e.g., based on an indication from the user) execute theobject. As shown by reference number 715, UD1 may determine actualbehavior information, associated with the object, during a one minuteperiod of time after UD1 begins executing the object (e.g., assume thatUD1 is configured to provide the actual behavior information one minuteafter beginning execution of the object). As shown, UD1 may determineactual behavior information that identifies three behaviors associatedwith executing the object (e.g., a creation of a game folder associatedwith game.exe, an edit of registry key Y, and a scheduling of task X).As shown by reference number 720, UD1 may provide the actual behaviorinformation, associated with the object and determined by UD1, to SD1.

As indicated above, FIG. 7 is provided merely as an example. Otherexamples are possible and may differ from what was described with regardto FIG. 7.

FIG. 8 is a flow chart of an example process 800 for identifying anobject as an evasive malicious object based on comparing actual behaviorinformation, associated with the object, and the test behaviorinformation associated with the object. In some implementations, one ormore process blocks of FIG. 8 may be performed by security device 220.In some implementations, one or more process blocks of FIG. 8 may beperformed by another device or a group of devices separate from orincluding security device 220, such as user device 210.

As shown in FIG. 8, process 800 may include receiving actual behaviorinformation associated with an object (block 810). For example, securitydevice 220 may receive actual behavior information associated with anobject. In some implementations, security device 220 may receive theactual behavior information, associated with the object, when userdevice 210 provides the actual behavior information, as described abovewith regard to process 600.

In some implementations, security device 220 may receive the actualbehavior information based on a configuration of user device 210 (e.g.,when user device 210 is configured to provide the actual behaviorinformation at a particular time, at particular intervals of time,etc.). Additionally, or alternatively, security device 220 may receivethe actual behavior information based on a request provided by securitydevice 220 (e.g., when security device 220 requests the actual behaviorinformation from user device 210). Additionally, or alternatively,security device 220 may receive the actual behavior information atanother time.

As further shown in FIG. 8, process 800 may include determining testbehavior information associated with the object (block 820). Forexample, security device 220 may determine test behavior informationassociated with the object. In some implementations, security device 220may determine the test behavior information after security device 220receives the actual behavior information. Additionally, oralternatively, security device 220 may determine the test behaviorinformation when security device 220 receives the object (e.g., asdescribed above). Additionally, or alternatively, security device 220may determine the test behavior information when security device 220receives information indicating that security device 220 is to determinethe test behavior information.

In some implementations, security device 220 may determine the testbehavior information, associated with the object, based on informationstored by security device 220. For example, security device 220 maydetermine and store the test behavior information, as described abovewith regard to process 400, and may determine the test behaviorinformation based on the stored information.

Additionally, or alternatively, security device 220 may determine thetest behavior information based on testing the object (e.g., whensecurity device 220 did not test the object before user device 210received the object). In other words, security device 220 may performprocess 400 after user device 210 provides the actual behaviorinformation associated with the object.

As further shown in FIG. 8, process 800 may include comparing the actualbehavior information and the test behavior information (block 830). Forexample, security device 220 may compare the actual behavior informationand the test behavior information. In some implementations, securitydevice 220 may compare the actual behavior information and the testbehavior information after security device 220 determines the testbehavior information. Additionally, or alternatively, security device220 may compare the actual behavior information and the test behaviorinformation after security device 220 receives the actual behaviorinformation. Additionally, or alternatively, security device 220 maycompare the actual behavior information and the test behaviorinformation after security device 220 receives information indicatingthat security device 220 is to compare the actual behavior informationand the test behavior information.

In some implementations, security device 220 may compare the actualbehavior information and the test behavior information in order todetermine whether the object behaved differently when tested by securitydevice 220 as compared to being executed, run, opened, installed, or thelike, by user device 210 (e.g., a difference between the actual behaviorinformation and the test behavior information may indicate that theobject is an evasive malicious object). In some implementations,security device 220 may identify a difference between the actualbehavior information and the test behavior information based oncomparing the actual behavior information and the test behaviorinformation. For example, security device 220 may determine that theactual behavior information identifies a behavior that is not identifiedin the test behavior information, that the test behavior informationidentifies a behavior that is not identified in the actual behaviorinformation, that the actual behavior information identifies a differentbehavior than a behavior identified in the test behavior information, orthe like. In some implementations, security device 220 may identify oneor more differences between the actual behavior information and the testbehavior information.

As further shown in FIG. 8, process 800 may include identifying theobject as an evasive malicious object based on comparing the actualbehavior information and the test behavior information (block 840). Forexample, security device 220 may identify an object as an evasivemalicious object based on comparing the actual behavior information andthe test behavior information. In some implementations, security device220 may identify the object as an evasive malicious object aftersecurity device 220 compares the actual behavior information and thetest behavior information. In some implementations, security device 220may identify the object as an evasive malicious object when securitydevice 220 receives information indicating that security device 220 isto identify the object as an evasive malicious object.

In some implementations, security device 220 may identify the object asan evasive malicious object based on comparing the actual behaviorinformation and the test behavior information. For example, securitydevice 220 may compare the actual behavior information and the testbehavior information, and may determine that the object exhibited one ormore malicious behaviors on user device 210, and that the object did notexhibit the one or more malicious behaviors on security device 220(e.g., during testing of the object in a sandbox environment). In thisexample, security device 220 may identify the object as an evasivemalicious object based on determining that the object exhibited the oneor more malicious behaviors on user device 210 (e.g., when securitydevice 220 is configured to identify an object as an evasive maliciousobject when the object exhibits one or more malicious behaviors on userdevice 210, but does not exhibit the one or more malicious behaviors onsecurity device 220).

Additionally, or alternatively, security device 220 may identify theobject as an evasive malicious object based on additional testingassociated with the object. For example, security device 220 may comparethe actual behavior information and the test behavior information, andmay determine that the object exhibited a malicious behavior on userdevice 210, and that the object did not exhibit the malicious behavioron security device 220. In this example, assume that security device 220has received, from user device 210, information associated with one ormore user actions associated with executing the object. Here, securitydevice 220 may use the information associated with the one or more useractions in order to re-create the execution of the object on user device210, and security device 220 may perform additional testing of theobject (e.g., using another malware detection technique, virus detectiontechnique, spyware detection technique, ransomware detection technique,etc.) in order to determine whether the object is an evasive maliciousobject.

Additionally, or alternatively, security device 220 may identify theobject as a malicious object based a manner in which the actual behaviorinformation differs from the test behavior information. For example, ifthe object exhibits a behavior that includes a first feature (e.g., acreation of a file in a recycle bin) and an associated second feature(e.g., causing the file to be automatically executed) on client device210, and does not exhibit the first feature or the second feature onsecurity device 220, then security device 220 may identify the object asan evasive malicious object. In other words, the exhibited behaviors maybe broken down into features, and security device 220 may determine(e.g., based on static rules stored by security device 220, based ondynamic rules determined by security device 220 using a machine learningtechnique, etc.) whether the object is an evasive malicious object.

In some implementations, security device 220 may provide an indicationafter identifying the object as an evasive malicious object. Forexample, security device 220 may identify the object as an evasivemalicious object, and security device 220 may provide (e.g., to anadministrator device associated with user device 210, to user device210, etc.) a notification that user device 210 has received an evasivemalicious object. As another example, security device 220 may identifythe object as an evasive malicious object, and may remove user device210 from network 240 (e.g., such that user device 210 cannot infectother user devices 210 with the evasive malicious object). As yetanother example, security device 220 may cause the evasive maliciousobject to be removed from user device 210. Additionally, oralternatively, security device 220 may take another type of correctiveaction associated with the object and/or user device 210. For example,security device 220 may notify a firewall to filter objects that aresimilar to the object, may add information associated with the object toa blacklist, or the like.

Although FIG. 8 shows example blocks of process 800, in someimplementations, process 800 may include additional blocks, fewerblocks, different blocks, or differently arranged blocks than thosedepicted in FIG. 8. Additionally, or alternatively, two or more of theblocks of process 800 may be performed in parallel.

FIG. 9 is a diagram of an example implementation 900 relating to exampleprocess 800 shown in FIG. 8. For the purposes of FIG. 9, assume thatsecurity device 220 (e.g., SD1) has determined and stored test behaviorinformation, associated with an object (e.g., game.exe), that identifiestwo behaviors (e.g., a creation of a game folder and a download of gameimages) associated with testing the object in a test environment (e.g.,a sandbox environment). Further, assume that user device 210 (e.g., UD1)has received the object and determined actual behavior, associated withthe object, that identifies three behaviors (e.g., a creation of a gamefolder, an edit of registry key X, and a scheduling of task Y)associated with executing the object on UD1.

As shown in FIG. 9, and by reference number 905, UD1 may provide, toSD1, the actual behavior information associated with the object. Asshown by reference number 910, SD1 may receive the actual behaviorinformation, and may determine (e.g., based on information stored bySD1) the test behavior information associated with the object. As shownby reference number 915, SD1 may compare the actual behavior informationand the test behavior information and, as shown by reference number 920,may determine that the actual behavior information differs from the testbehavior information (e.g., since the test behavior information does notidentify a behavior associated with editing registry key X or schedulingtask Y, and since the test behavior information does not identify abehavior associated with downloading game image files). For the purposesof example implementation 900, assume that SD1 is configured to identifyan edit of a registry key as a malicious behavior and a scheduling of atask as a malicious behavior. As shown by reference number 925, SD1 mayidentify the object as an evasive malicious object (e.g., since theactual behavior information identifies two malicious behaviors notincluded in the test behavior information). As shown by reference number930, SD1 may provide, to UD1, an indication that the object is anevasive malicious object (e.g., such that the user may delete theobject, stop executing the object, etc.).

As indicated above, FIG. 9 is provided merely as an example. Otherexamples are possible and may differ from what was described with regardto FIG. 9.

Implementations described herein may allow a security device todetermine whether an object is an evasive malicious object based oncomparing actual behavior information, associated with the object anddetermined by a user device, and test behavior information associatedwith the object and determined by the security device.

The foregoing disclosure provides illustration and description, but isnot intended to be exhaustive or to limit the implementations to theprecise form disclosed. Modifications and variations are possible inlight of the above disclosure or may be acquired from practice of theimplementations.

As used herein, the term component is intended to be broadly construedas hardware, firmware, and/or a combination of hardware and software.

Some implementations are described herein in connection with thresholds.As used herein, satisfying a threshold may refer to a value beinggreater than the threshold, more than the threshold, higher than thethreshold, greater than or equal to the threshold, less than thethreshold, fewer than the threshold, lower than the threshold, less thanor equal to the threshold, equal to the threshold, etc.

It will be apparent that systems and/or methods, described herein, maybe implemented in different forms of hardware, firmware, or acombination of hardware and software. The actual specialized controlhardware or software code used to implement these systems and/or methodsis not limiting of the implementations. Thus, the operation and behaviorof the systems and/or methods were described herein without reference tospecific software code—it being understood that software and hardwarecan be designed to implement the systems and/or methods based on thedescription herein.

Even though particular combinations of features are recited in theclaims and/or disclosed in the specification, these combinations are notintended to limit the disclosure of possible implementations. In fact,many of these features may be combined in ways not specifically recitedin the claims and/or disclosed in the specification. Although eachdependent claim listed below may directly depend on only one claim, thedisclosure of possible implementations includes each dependent claim incombination with every other claim in the claim set.

No element, act, or instruction used herein should be construed ascritical or essential unless explicitly described as such. Also, as usedherein, the articles “a” and “an” are intended to include one or moreitems, and may be used interchangeably with “one or more.” Furthermore,as used herein, the term “set” is intended to include one or more items,and may be used interchangeably with “one or more.” Where only one itemis intended, the term “one” or similar language is used. Also, as usedherein, the terms “has,” “have,” “having,” or the like are intended tobe open-ended terms. Further, the phrase “based on” is intended to mean“based, at least in part, on” unless explicitly stated otherwise.

What is claimed is:
 1. A device comprising: a memory; and one or moreprocessors to: determine, based on an object being executed in a testenvironment, first behavior information associated with the object;provide, to a user device, the object and a first indication that theuser device is to determine second behavior information associated withthe object; receive, based on the object being at least one of opened,executed, run, or installed on the user device, the second behaviorinformation, the second behavior information being received based on adeviation from the first behavior information being detected; determinewhether the first behavior information identifies a behavior exhibitedby the object when the object is at least one of opened, executed, run,or installed on the user device; and provide a second indication thatthe object is a malicious object based on determining that the firstbehavior information does not identify the behavior and based on thesecond behavior information being different from the first behaviorinformation.
 2. The device of claim 1, where the test environment isimplemented within an operating system running on a virtual machine. 3.The device of claim 1, where the one or more processors, whendetermining the first behavior information, are to: determine the firstbehavior information by performing a static analysis of the object. 4.The device of claim 1, where the object is not permitted to be providedto the user device based on the first behavior information indicatingthat the object is the malicious object; and where the one or moreprocessors, when providing, to the user device, the object and the firstindication, are to: provide, to the user device and based on the firstbehavior information not indicating that the object is the maliciousobject, the object and the first indication.
 5. The device of claim 1,where the one or more processors are further to: provide the firstbehavior information to the user device.
 6. A method, comprising:determining, by a device and based on an object being executed in a testenvironment, first behavior information associated with the object;providing, by the device and to a user device, the object and a firstindication that the user device is to determine second behaviorinformation associated with the object; receiving, by the device andbased on the object being at least one of opened, executed, run, orinstalled, the second behavior information, the second behaviorinformation being received based on a deviation from the first behaviorinformation being detected; determining, by the device, whether thefirst behavior information identifies a behavior exhibited by the objectwhen the object is at least one of opened, executed, run, or installed;and providing, by the device, a second indication that the object is amalicious object based on determining that the first behaviorinformation does not identify the behavior and based on the secondbehavior information being different from the first behaviorinformation.
 7. The method of claim 6, where the second behaviorinformation is determined for a threshold amount of time after theobject is executed.
 8. The method of claim 6, where the second behaviorinformation is received periodically.
 9. The method of claim 6, wherethe deviation is detected by another device.
 10. The method of claim 6,where the behavior includes one or more malicious behaviors.
 11. Themethod of claim 6, further comprising: receiving information associatedwith one or more user actions associated with executing the object;re-creating an execution of the object based on the informationassociated with the one or more user actions; and performing testing ofthe object based on re-creating the execution of the object.
 12. Themethod of claim 6, where receiving the second behavior informationcomprises: receiving the second behavior information from the userdevice; and where providing the second indication that the object is themalicious object comprises: providing, to the user device, the secondindication that the object is the malicious object.
 13. A non-transitorycomputer-readable medium storing instructions, the instructionscomprising: one or more instructions that, when executed by one or moreprocessors, cause the one or more processors to: determine, based on anobject being executed in a test environment, first behavior informationassociated with the object; provide, to a user device, the object and afirst indication that the user device is to determine second behaviorinformation associated with the object; receive, based on the objectbeing at least one of opened, executed, run, or installed on the userdevice, the second behavior information; determine whether the firstbehavior information identifies a behavior exhibited by the object whenthe object is at least one of opened, executed, run, or installed on theuser device; and provide a second indication that the object is amalicious object based on determining that the first behaviorinformation does not identify the behavior and based on the secondbehavior information being different from the first behaviorinformation.
 14. The non-transitory computer-readable medium of claim13, where the one or more instructions, when executed by the one or moreprocessors, further cause the one or more processors to: remove the userdevice from a network based on determining that the object is themalicious object.
 15. The non-transitory computer-readable medium ofclaim 13, where the one or more instructions, when executed by the oneor more processors, further cause the one or more processors to: removethe object from the user device based on determining that the object isthe malicious object.
 16. The non-transitory computer-readable medium ofclaim 13, where the test environment is implemented within an operatingsystem running on a virtual machine.
 17. The non-transitorycomputer-readable medium of claim 13, where the one or moreinstructions, that cause the one or more processors to receive thesecond behavior information, cause the one or more processors to:receive the second behavior information based on a deviation from thefirst behavior information being detected.
 18. The device of claim 1,where the one or more processors, when receiving the second behaviorinformation, are to: receive the second behavior information atparticular intervals of time.
 19. The device of claim 1, where the oneor more processors, when determining the first behavior information, areto: determine the first behavior information after receiving the secondbehavior information.
 20. The non-transitory computer-readable medium ofclaim 13, where the one or more instructions, that cause the one or moreprocessors to receive the second behavior information, cause the one ormore processors to: receive the second behavior information based onreceiving information indicating that the second behavior information isto be determined.